SSH Tectia can be used to enable cost-effective secure remote access to selected applications over the Internet although it is not a complete virtual private network (VPN) solution. It is possible to use the SSH Tectia client/server solution together with a perimeter VPN solution to create an extra layer of end-to-end security to most mission-critical applications. In those implementations where the VPN supports DHCP over IPSec or uses a similar method for providing the remote machine with a private IP address, SSH Tectia Client/Connector should work similarly over the internal and external network.
SSH Tectia Connector can be deployed so that its usage is fully transparent to the applications and to the user, whether connecting from the intranet or the Internet. Access to the intranet services is completed through a SSH Tectia Server with Tunneling Expansion Pack that is accessed with a public IP address. SSH Tectia Server with Tunneling Expansion Pack can reside either on the perimeter of the corporate network (with a public IP address), or inside the network (with a private IP address) if the firewall is configured to forward connections made to the SecSh port (i.e. regular port 22) to the private IP address owned by SSH Tectia Server with Tunneling Expansion Pack.
When using SSH Tectia Connector on a laptop for both local and remote access to the same shared resources, it is good to note the following:
SOCKS servers: when SOCKS servers are in use, which is often the case for accessing services located on the Internet from the intranet, the SOCKS server in the SSH Tectia Connector configurations must be defined for each SSH Tectia Server connection that is accessed through the SOCKS service. Connection to those SSH Tectia Servers does not work anymore when the host running moves outside the intranet and tries to access services that were set to be accessed through the SOCKS server. With the current version, the user has to manually set the SOCKS server settings to adapt to its new physical location.
Firewall "loop-back": access to the firewall public address should be allowed from the intranet. The purpose is to form an access infrastructure for all remote access users so that all intranet services appear the same to SSH Tectia Connector independent of the physical location from which the connection is made. The alternative is to have an internal DNS server that can match IP addresses that are different from the public DNS addresses to internal domain names. If this is possible then there is no need to route data through the firewall.
Figure 5.5 illustrates how SSH Tectia client/server solution can be used to provide VPN-like functionality.
See also Securing Ascent CRM with SSH Tectia Connector Compatibility Note at http://www.ssh.com/resources/material/compatibility/.